Win2K without IE5.5 or 6.0 is no longer secure ?

From: Bronek Kozicki (brok@RUBIKON.PL)
Date: 12/18/01


Date:         Tue, 18 Dec 2001 14:24:23 +0100
From: Bronek Kozicki <brok@RUBIKON.PL>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi

While reading comments on security bulletin MS01-058 (actually, it was
Daryl Maunder's email sent today to ms-focus@securityfocus.com mailing
list) it hit me that Microsoft discontinued its support for IE5.0 (you
may see it listed at
http://support.microsoft.com/directory/discontinue.asp ) . It
effectively forces all administrators out there to install IE5.5 or
IE6.0 on all their Windows 2000 workstations AND servers. Let me
explain: Windows 2000 comes with IE5.0 built-in, and no Service Pack nor
hotfix upgrades it to IE5.5 (or IE6) . Service Pack 2 upgrades IE to
version 5.01 SP2, but support for this version is also DISCONTINUED.
There is also no (supported by Microsoft) way to uninstall IE5.0 from
Windows 2000, nor any other way to make sure it will never be used on
secured machine.

In my understanding it means that the only secure way to install Win2K
is :
- install system
- install Service Pack 2
- install all necessary hotfixes (including MS01-007, MS01-041 ,
MS01-044 etc.)
- install IE5.5 or IE6.0
- install IE hotfixes (like MS01-058)
... and because there is no (supported by MS) way to be 100% sure that
IE will never be used at the server, you need to install IE5.5 (or 6.0)
even there! There is also question: is Microsoft going to include IE5.5
or 6.0 to Service Pack 3 for Windows 2000 ? If no, then you will always
need to take this extra step (installing IE 5.5 or 6.0) when securing
Win2K machine! Simply stating: you need to install IE5.5 or 6.0 and
patch it, in order to secure your server. Always. Other way is not only
insecure; its also apparently unsupported by Microsoft!

I do not like this, no at all .... I also wonder what does it mean for
Microsoft's anti-monopoly case ?

What do you think ?

B.

PS sorry for my poor English. I'm bit nervous, as I have plenty Win2K
servers around to care about ...

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================